12 Example: Pretty Good Privacy Public key based: Fred encrypts his message with the public key of Barney. For authentication Fred appends a signature at his mail. Only Barney can decrypt the content of this mail. Barney decrypts the signature with the public key of Fred. 12 Prof. Dr. Thomas Schmidt

14 Example: SSL/TLS Transport Layer Security: RFC 2246, 3546 Protocol for encrypted transfer between unknown clients and known servers (approved by certification). Public key based session-initiation: on request server sends public key to a client. Client generates a pre-shared secret (private key) and sends this with the received public key encrypted to the server. Communication afterwards will be encrypted symmetrically. 14 Prof. Dr. Thomas Schmidt

30 Encryption Methods IPSec can employ different encryption methods. To initiate a Security Association either a Public Key Infrastructure (PKI) or Preshared Secrets (offline) are needed. While an SA is running, data will be encrypted via symmetric encryption methods (performance). To regularly exchange keys an Internet Key Exchange Daemon is part of the IPSec concept. 30 Prof. Dr. Thomas Schmidt

35 Example 2: Cryptographically Generated Addresses (IPv6) Problem: In IP infrastructure protocols the sender of a message frequently has to prove its ownership of address to a receiver, it never met before. Authentication between unknown partners normally requires a public key infrastructure. Cryptographically Generated Addresses (CGAs) are source addresses formed from the public key (RFC 3972). This mechanism allows the authentication of sender s address and the signing of data without a PKI. Most important uses: SEND (RFC 3971), OMIPv6 (IEdraft) 35 Prof. Dr. Thomas Schmidt

39 CGA: Decapsulation Steps 1. Receiver extracts network prefix and the public key e from the CGA parameter header. 2. It decrypts the signature with the public key e and verifies the CGA parameters + Data. 3. Receiver re-calculates and verifies sender s source address as a 64 bit hash from e. 4. The receiver can now be sure, that the received packet has been originally sent by the owner of the claimed IP address. 39 Prof. Dr. Thomas Schmidt

40 Summary Security in the net can be improved on many layers Final selection of a technology needs a careful need analysis The level of security achieved is determined by concept / algorithms, key strength and the management quality There is no such thing as secure (only more secure) 40 Prof. Dr. Thomas Schmidt

Network Security [2] Public Key Encryption Also used in message authentication & key distribution Based on mathematical algorithms, not only on operations over bit patterns (as conventional) => much overhead

Chapter 4 Virtual Private Networking This chapter describes how to use the virtual private networking (VPN) features of the FVL328 Firewall. VPN tunnels provide secure, encrypted communications between

29 IP SECURITY (IPSEC) PROTOCOLS One of the weaknesses of the original Internet Protocol (IP) is that it lacks any sort of general-purpose mechanism for ensuring the authenticity and privacy of data as

Security in Wireless LANs and Mobile Networks Wireless Magnifies Exposure Vulnerability Information going across the wireless link is exposed to anyone within radio range RF may extend beyond a room or

Security vulnerabilities in the Internet and possible solutions 1. Introduction The foundation of today's Internet is the TCP/IP protocol suite. Since the time when these specifications were finished in

Basic Security Requirements and Techniques Confidentiality The property that stored or transmitted information cannot be read or altered by an unauthorized party Integrity The property that any alteration

Module 8 Network Security Lesson 2 Secured Communication Specific Instructional Objectives On completion of this lesson, the student will be able to: State various services needed for secured communication

Communication System Security, Chapter 3, Draft, L.D. Chen and G. Gong, 2008 1 Chapter 3. Network Domain Security A network can be considered as the physical resource for a communication system. This chapter

Page 1 of 8 Using IPSec in Windows 2000 and XP, Part 2 Chris Weber 2001-12-20 This is the second part of a three-part series devoted to discussing the technical details of using Internet Protocol Security

Header (AH) AH Layout Other AH Fields Mutable Parts of the IP Header What is an SPI? What s an SA? Encapsulating Security Payload (ESP) ESP Layout Padding Using ESP IPsec and Firewalls IPsec and the DNS

PART-A Questions 1. Name the aspects to be considered of information security. 2. What is meant by deciphering? 3. What are the two different uses of public key cryptography related to key distribution?

EXAM questions for the course TTM4135 - Information Security May 2013 Part 1 This part consists of 5 questions all from one common topic. The number of maximal points for every correctly answered question

Secure Remote Monitoring of the Critical System Infrastructure An Application Note from the Experts in Business-Critical Continuity TABLE OF CONTENTS Introduction................................................2

encor! enetworks TM Version A.1, March 2010 2010 Encore Networks, Inc. All rights reserved. The BANDIT Products in Virtual Private Networks One of the principal features of the BANDIT products is their

CHAPTER 1 Note The information in this chapter applies to both the ACE module and the ACE appliance unless otherwise noted. The features in this chapter apply to IPv4 and IPv6 unless otherwise noted. Secure

VPN For BIPAC 741/743GE August, 2003 1 The router supports VPN to establish secure, end-to-end private network connections over a public networking infrastructure. There are two types of VPN connections,

Final exam review, Fall 2005 FSU (CIS-5357) Network Security Instructor: Breno de Medeiros 1. What is an insertion attack against a NIDS? Answer: An insertion attack against a network intrusion detection

Chapter 17 Transport-Level Security Web Security Considerations The World Wide Web is fundamentally a client/server application running over the Internet and TCP/IP intranets The following characteristics

An architecture for the Internet Key Exchange Protocol by P.-C. Cheng In this paper we present the design, rationale, and implementation of the Internet Key Exchange (IKE) Protocol. This protocol is used